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3Q0 

A method and apparatus for filtering packets uses digital * ' 

signatures to filter packets in a network. A filter point, such as 3.|g 3,3 

a router or firewall to an intranet, receives a packet including a ^.^ 

header, detects the existence of a signature in the header, tests 
the validity of the signature using a public key. and forwards 
the packets in accordance with the validity of the signature. A 
sender uses a private key obtained from an owner to generate 
the signature, which is created by encrypting a fingerprint 
which corresponds to the data in the packet. Public keys are 
created by an owner which installs them in a domain name 
system or a certification server. Private keys are also created 
by the owner but are disseminated only to authorized senders. 
A method and apparatus for sending packets stores a private 
key in a memory of the data processor, generates a signature 
using the private key. installs the signature into a header of a 
packet; and sends the packet. 
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Method and Apparatus for Using Digital Signatures to 
Filter Packets in a Networl< 



FIELD OF THE INVENTION 

The present invention relates generally to network communications. More 
specifically, the present invention is a method and apparatus for using digital 
signatures to filter packets in a network. 

5 

BACKGROUND OF THE INVENTION 

Internet protocol (IP) Multicasting is a form of network communication in 
which a single message Is sent to multiple destinations at once. A multicast group 
owner sets up a multicast group address. Senders and receivers may join the group 

10 by accessing the group address. 

One problem with IP multicast Is that it allows unauthorized senders to 
transmit to the multicast group, requiring the end host system to keep state and to 
process packets which are not authorized to be sent to the group. The packets are 
transmitted by the unauthorized sender and fonwarded by routers to the end host. 

15 Routers are systems which can be used to forward packets between networks. 

One solution to this problem is for the group owner to encrypt the session and 
require authorized members to obtain a group key in order to decrypt the data. 
However, this mechanism does not prevent denial of service attacks where 
unauthorized senders from a network on one side of a router or a firewall transmit 

20 numerous IP messages to an end host in a network on the other side of the router or 
firewall. The router or firewall passes the packets from the network where the 
sender is located to the network where the end host is located, without processing 
the packets. The end host receives and processes each packet to determine 
whether the sender may join the encrypted session. If the sender is not authorized 

25 to join the session, the end host denies service to that sender. A malicious user, in 
what is called a denial of service attack, may send numerous unauthorized 
messages to an end host system on the other side of a router or a firewall. Even 
though the malicious user is not authorized to access the system, it can cause a 
network bottleneck because the end host at the other side of the router or firewall 
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must process all of the incoming messages to detemnine wliether the sender may 
join the encrypted session, thereby using up networl< bandwidth and resources. 



SUMMARY OF THE INVENTION 
5 Consistent with the present invention, a method and apparatus for using 

digital signatures filters packets in a network in order to avoid wasting router 
bandwidth and resources on processing packets associated with unauthorized 
senders. 

An embodiment consistent with the present invention includes a method 
10 and apparatus for filtering packets, performed by a data processing system, which 
comprises the steps of receiving a packet including a header; detecting the 
existence of a signature in the header, and fonvarding the packet in accordance with 
the validity of the signature. The data processing system that perfonns these steps 
may be, for example, a router or a firewall. An embodiment consistent with the 
15 present invention may be Implemented as a computer program product or as a 
computer data signal embodied in a carrier wave. An embodiment consistent with 
the present invention also includes a method and apparatus for sending packets, 
performed by a data processing system, which comprises the steps of storing a 
private key in a memory of the data processor, generating a signature using the 
20 private key, installing the signature into a header of a packet, and sending the 

packet. . An embodiment consistent with the present invention may be implemented 
as a computer program product or as a computer data signal embodied in a carrier 
wave. 

An owner disseminates private keys to the senders. When there are 
25 numerous keys, the keys may be stored in indexed tables. A sender signs the 
packet using the one of the private keys. A router or a firewall then detemnines the 
validity of the signature by checking the signature using the public key. If the 
signature is valid, the router or firewall fonwards the packet. Packets having an 
invalid signature are discarded. 
30 The method for signing the packet may include creating a fingerprint 

corresponding to the data and encrypting the fingerprint using a private key to yield 
a signature. The method for checking the signature may include decrypting the 
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fingerprint using a public key and comparing the decrypted fingerprint to a newly 

created fingerprint of the data. 

An embodiment consistent with the present invention also includes a method 

for filtering packets, performed by a data processing system, which comprises the 
5 steps of receiving a plurality of packets, each of which includes a header, 

determining a number of packets received from a particular source, detecting the 

existence of a signature in the header, and forwarding the packet in accordance with 

the validity of the signature and with whether a router limit has been exceeded. The 

router limit may be associated with a number of packets per predetermined set of 
10 senders In order to limit the size of the group of authorized senders. The router limit 

also may be associated with a predetermined period of time to limit the rate at which 

senders transmit packets to the router. 

Advantages of the invention will be set forth, in part, in the description that 

follows and in part, will be understood by those skilled in the art from the description 
15 or may be learned by practice of the invention. The advantages of the invention will 

be realized and attained by means of the elements and combinations particularly 

pointed out in the appended claims and equivalents. 

BRIEF DESCRIPTION OF THE DRAWINGS 
20 The accompanying drawings, which are incorporated in and constitute a part 

of this specification, illustrate several embodiments consistent with the present 
invention and, together with the description, serve to explain the principles of the 
invention. 

Fig. 1 is a diagram of a network in accordance with an embodiment consistent 
25 with the present invention. 

Figs. 2(a) and 2(b) are diagrams of data processing systems in accordance 
with an embodiment consistent with the present invention. 

Fig. 3 is a diagram showing a format of a packet in accordance with an 
embodiment consistent with the present invention. 
30 Fig. 4 is a diagram of a network in which a public key of an owner is placed in 

a DNS server. 
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Fig. 5 is a flow cliart showing steps performed by an owner in accordance 
with an embodiment consistent with the present invention to create and distribute 
l<eys. 

Fig. 6 is a flow chart showing steps performed by a sender in accordance with 
5 an embodiment consistent with the present invention to sign packets. 

Fig. 7 is a flow chart showing steps performed by a router or a firewall in 
accordance with an embodiment consistent with the present invention to determine 
whether to fonward packets. 

Fig. 8 is a flow chart showing steps performed by a router in accordance with 
10 an embodiment consistent with the present invention to filter packets in accordance 
with a router limit. 

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS 

Reference will now be made in detail to embodiments consistent with the 

15 invention, examples of which are illustrated in the accompanying drawings. 
Wherever possible, the same reference numbers will be used throughout the 
drawings to refer to the same or like parts. 

Fig. 1 is a diagram 100 of an embodiment consistent with the present 
invention which shows a network 102 containing a router 104. An owner 106 

20 disseminates private key S, to senders 1 08 and 1 1 0, as shown by arrows 1 1 6 and 
118. Owner 106 disseminates the private keys by a known method. These private 
keys are also known as secret keys or signature keys. Owner 106 may store a pair 
of keys, one for send and one for listen access, or alternatively, the owner may 
create a table of keys in which the table entries are accessed using an index 

25 corresponding to a particular key. 

Sender 110 receives its private key S, firom owner 106, as shown by arrow 
118. When sender 110 sends a multicast packet, it generates a fingerprint 
corresponding to data contained in a packet, and then uses the sender's private key 
to encrypt the fingerprint. The encrypted fingerprint is a unique signature which is 

30 used to identify that the sender has authorization to send the packet to the multicast 
group. The sender includes the fingerprint and signature with the remaining packet 
contents and then sends the packet. 
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Router 104 receives the packet from sender 108, 110, as shown by arrows 
128, 124, and processes the packet to determine whether to fonward the packet. 
This process is described in further detail below. If a signature is required, exists, 
and is valid, then router 104 fonwards the packet to receiver 1 12, 1 14, as shown by 

5 arrows 130, 126. 

Fig. 2(a) is a block diagram of a data processing system 200 showing an 
embodiment consistent with the present Invention. Data processing system 200 
includes router or firewall system 206, input device 208, output device 210, 
computer readable medium 212, computer readable medium input device 214 and a 

10 network connection 237. Router or firewall system 206 includes processor 202 and 
storage 204 such as a memory. 

Storage 204 contains filtering software 218 and public key table 216. Public 
key table 216 contains one or more public keys of the senders which were 
generated by owner 106. Three public keys P,, Pj, and P3 217 and their associated 

15 indexes 215 are shown in public key table 216. Storage 204 also contains a flag 
213 which detemiines whether this router requires a signature in the multicast 
packet. 

The public keys are obtained from the domain name system (DNS) 412, a 
certification server (not shown), or any other appropriate key distribution scheme, 

20 and are stored in public key table 216. Filtering software 21 8 uses an appropriate 
key from public key table 216 to check the validity of the signature contained in the 
header of an incoming packet. If the signature is valid, then router 206 fonwards the 
packet to receivers 112, 114, as shown by arrows 130, 126. Otherwise, the packet 
may be discarded. This process is described in further detail below. 

25 A person of ordinary skill in the art will understand that data processing 

system 200 may also contain additional infomiation, such as input/output lines; input 
devices, such as a keyboard, a mouse, and a voice input device; and display 
devices, such as a display terminal. Input device 208 may be a floppy disk drive, CD 
ROM reader, or DVD reader, that reads computer instructions stored on a computer 

30 readable medium, such as a floppy disk, a CD ROM, or a DVD drive. Data 

processing system 200 also may include application programs, operating systems, 
data, etc., which are not shown in the figure for the sake of clarity. It also will be 
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understood that data processing system 200 may also include numerous elements 
not shown, such as disk drives, keyboards, display devices, network connections, 
additional memory, additional CPUs, LANs, input/output lines, etc. 

In the following discussion, it will be understood that the steps of methods and 
flow charts discussed preferably are performed by an appropriate processor 202 
executing instructions stored in storage 204. It will also be understood that the 
invention is not limited to any particular implementation or programming technique 
and that the Invention may be implemented using any appropriate techniques for 
implementing the functionality described herein. The invention Is not limited to any 
particular programming language or operating system. 

The instructions in storage 204 may be read from computer-readable medium 
212. Execution of sequences of instructions contained in storage 204 causes 
processor 202 to perform the process steps described herein. In altemative 
embodiments consistent with the present invention, hard-wired circuitry may be used 
in place of or in combination with software instructions to implement the invention. 
Thus, embodiments consistent with the present invention are not limited to any 
specific combination of hardware circuitry and software. 

The term "computer-readable medium" as used herein refers to any medium 
that participates in providing Instructions to a processor for execution. Such a 
medium may take many forms, including but not limited to, non-volatile media, 
volatile media, and transmission media. Non-volatile media includes, for example, 
optical or magnetic disks, such as a storage device. Volatile media includes 
dynamic memory. Transmission media include coaxial cables, copper wire and fiber 
optics, Including the wires that comprise a bus within a computer. Transmission 
media can also take the form of acoustic or light waves, such as those generated 
during radio-wave and infra-red data communications. 

Common forms of computer-readable media include, for example a floppy 
disk, a flexible disk, a hard disk, magnetic tape, or any other magnetic medium, a 
CD-ROM, any other optical medium, punch cards, paper tapes, any other physical 
3 medium with pattems of holes, a RAM, a PROM, an EPROM, a FLASH-EPROM, 
any other memory chip or cartridge, a carrier wave as described hereafter, or any 
other medium from which a computer can read. 



6 



PCTAJS99/06206 

WO 99/55052 

Various forms of computer readable media may be involved in carrying one or 
more sequences of one or more instructions to a processor for execution. For 
example, the instructions may initially be carried on a magnetic disk of a remote 
computer. The remote computer can load the instructions into its dynamic memory 
and send the instructions over a telephone line using a modem. A modem local to 
the computer system can receive the data on the telephone line and use an infra-red 
transmitter to convert the data to an infra-red signal. An infra-red detector coupled 
to a bus can receive the data carried in the infra-red signal and place the data on the 
bus The bus carries data to main memory, from which a processor retrieves and 
executes the instructions. The instructions received by main memory may optionally 
be stored on a storage device either before or after execution by a processor. The 
instructions can also be transmitted via a carrier wave in a network, such as a LAN. 
a WAN, or the internet. 

Fig. 2(b) is a block diagram of a data processing system 219 showing an 
embodiment consistent with the present invention. Data processing system 219 
includes sender system 224. input device 226. output device 228, computer 
readable medium 230. computer readable medium input device 232. and a network 
connection 238. Sender system 224 includes processor 220 and storage 222. such 
as a memory. Sender software 234 and private key table 236 containing indexes 
, 235 to private keys S„ S„ and S3 237 are contained within storage 222. 

Fig. 3 is a diagram showing a format of a packet format 300 which contains 
an IP header 302 and data 304. IP header 302 contains an IP header options field 
322. a fingerprint (also called a digest or a message digest) 308, a signature (also 
called a signed fingerprint or encrypted message digest) 310. and a key index 312. 
5 The key index indicates an entry in a key table where a plurality of keys are 

stored. If only one key is stored, the use of the key index is optional, for example if 
P, was the only key stored in storage 204 in the router. The index is used to retrieve 
a particular key from the table. In public key table 216, indexes 215 point to public 
keys 217. For example, key P, is stored in public key table 216 and is associated 
,0 with an index having a value of 1 . This value is stored in key index 312 in the packet 
header. Similarly, key P^, is associated with an index having a value of 2, and key 
P3. is associated with an index having a value of 3. 
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IP header 302 also includes a source address 314, a source address port 
316, a destination address 318, and a destination address port 320. IP header 
options 322 include a router alert option. The purpose of the router alert option is to 
alert routers to examine the contents of an IP packet more closely and to provide 
backward compatibility with other network protocols. 

The router alert option format contains a 4-byte field in which two of the bytes 
contain a two octet code indicating whether the router should examine the packet. If 
the value of the octet is zero, the packet is examined . If the value of the octet is 
anything else, the packet is not examined. The IP Router Alert Option is described 
more fully in Request for Comments (RFC) 21 13 written by D. Katz in February 
1997, which is herein incorporated by reference to the extent that it is not 
inconsistent with the present invention. It should be understood that packet format 
300 includes other fields not shown in the figure for the sake of clarity. 

Fig. 4 shows a network 102 in a system generally designated 400, an owner 
106, a router 104, and a DNS server 412. DNS server 412 is a general-purpose 
distributed data query service used for translating hostnames into IP addresses. 
DNS server 412 includes a DNS table 408. Owner 106 installs DNS table entry 406 
into DNS table 408. Table entry 406 includes both a public key P, and its associated 
IP address. Router 104 requests DNS table entry 406 from DNS server 412 in order 
to retrieve public key P,. 

In an embodiment consistent with the present invention, owner 106 creates 
and distributes public and private keys. An embodiment consistent with this method 
is shown in Fig. 5 and generally designated 500. In step 502, owner 106 creates 
several public and private key pairs for a multicast and stores them in indexed 
tables. In step 504, owner 1 06 obtains a private multicast address. Next, in step 
506. owner 106 installs the public keys for the multicast. Owner 106 may install the 
public keys in the DNS server 412 or in a certification server. After installing the 
public keys, owner 106 distributes private (secret) keys to authorized senders, in 
step 508. Note that owner 106 may change which senders are authorized by 
D sending a replacement key to a new set of authorized senders and by disallowing 
use of the current key. If there are multiple private keys, an index is associated with 
each key. As shown in Fig. 2, both public key table 216 (in the DNS server) and 
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private key table 236 (in the sender) can be indexed. At step 510, the sender is 
ready to begin. 

In an embodiment consistent with the present invention, sender 1 08 signs a 
packet before sending it. An embodiment consistent with this method is shown in 
Fig. 6 and generally designated 600. In step 602, sender 108 obtains the private 
key and key index 312 (assuming there are multiple keys) from owner 106. This 
step is performed separately at some time before steps 606 - 616. Steps 606 - 616 
send a signed multicast message. In step 606, sender 208 generates a fingerprint 
or digest 308 corresponding to data 304 in packet format 300. Methods for 
generating fingerprint 308 include MD5 and EC2/4 which are described in B. 
Schneier, Applied Crvptoaraphv , John Wiley & Sons, Inc., 1996, Chapter 18.5, which 
is herein incorporated by reference to the extent that it is not inconsistent with the 
present invention. 

Next, in step 608, sender 108 creates signed fingerprint 310 by encrypting 
fingerprint 308 with the private key. The encryption may be implemented by a 
number of suitable encryption methods such as RSA, which is described which is in 
B. Schneier, Applied Crvptoaraphv . John Wiley & Sons, Inc., 1996, Chapter 19.3, 
which is herein incorporated by reference to the extent that it is not inconsistent with 
the present invention. This step is also known as signing the digest. Signed 
fingerprint 310 may be referred to as the signature. In step 609. sender 108 decides 
what to use for index 312. After creating signature 310 and deciding on an index, 
sender 108, in step 610, combines fingerprint 308, signature 310, index 312, and 
data 304 into one packet. Sender 108 then multicasts the packet in step 612. In 
step 614, sender 108 checks to find out if it has finished processing packets. If yes, 
then processing is over, step 616. If not, then sender 108 begins processing the 
next packet in step 604. 

An embodiment consistent with the present invention, includes a "logical 
place" called a "filter point" which filters receive packets. The filter point receives a 
packet including header and data, detects the existence of a signature in the header. 
I and forwards the packet in accordance with the validity of the signature. A filter 
point may be. for example, a router 104 or a firewall of an intranet. An embodiment 
consistent with this method is shown in the flow chart of Fig. 7 and generally 
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designated 700. In step 702, router 104 receives a packet having format 300. The 
packet is received from one of a sender 108, 1 10. 

In step 704, router 104 determines whether packet format 300 contains a 
signature 310 by Inspecting the router alert In IP header options field 322. If no 
signature 310 exists in packet fomiat 300, router 104 then determines, In step 706, 
whether a signature Is required. If a signature Is not required, In step 708, router 
104 fonwards the packet. However, If a signature is required, and no signature Is 
present, router 104 discards the packet, step 710. Router 104 preferably 
determines whether a signature is required by checking a flag 213 In storage 204. 
The flag may be set by any appropriate source. 

If a signature 310 exists In packet format 300, router 104 then determines 
whether It has a valid public key corresponding to a valid key index. If applicable, in 
step 712. If router 104 does not have the public key, then it gets the public key from 
the Domain Name Server (DNS) 412, or from a certification server In step 714. 
Once router 104 has the public key, it uses the public key to check signature 310 in 
step 716. This checking step is done by decrypting the signature 310 to yield a 
decrypted fingerprint. If the decrypted fingerprint equals fingerprint 308 In the 
packet, then the signature Is valid. Router 104 then determines whether signature 
310 is valid by comparing the decrypted fingerprint and the fingerprint 308. If the 
two values match, the signature is valid. If signature 310 is valid, router 104 
forwards the packet in step 720. If signature 310 is not valid, then router 104 
discards the packet, in step 722. 

An embodiment consistent with the present invention includes a router which 
filters packets In accordance with a predetermined router limit. An embodiment 
consistent with this method is shown in the flow chart of Fig. 8 and generally 
designated 800. At the start of this method, step 802, a predetermined router limit 
exists. This predetemiined limit may be, for example, a rate at which the router may 
receive packets from a particular source or sender. Such a predetermined rate is 
useful in preventing denial of service attacks in which an unauthorized sender sends 
numerous unauthorized packets to the router. 

First the router receives a packet, in step 804, and then in step 806, 
determines the particular source of the received packet. The number of packets 
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received from the source during the predetermined time period, i.e. the rate at which 
packets from this source are being received is determined in step 808. The router 
checks the router limit in step 810 by checking whether the maximum rate for the 
particular source has been exceeded. If the rate limit has been exceeded, the router 
discards the packet, in step 820. Otherwise, if the rate limit has not been exceeded, 
the router detects and checks the signature and routes the packet accordingly in 
step 812. See steps 704-722 of Fig. 7 above for more detail. 

Other embodiments consistent with the present invention will be apparent to 
those skilled in the art from consideration of the specification and practice of the 
invention disclosed herein. It is Intended that the specification and examples be 
considered as exemplary only, with a true scope of the invention being indicated by 
the following claims and equivalents. 
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1. A method of filtering packets, performed by a data processor, comprising 
the steps of: 

receiving a packet including a header; 

detecting the existence of a signature in the header; and 

fonwarding the packet in accordance with the validity of the signature. 

2. The method of claim 1 , wherein the steps of claim 1 are performed by a 
filter point and further comprising the step of disseminating a public/private key pair 
to, respectively, the filter point and a sender. 

3. The method of claim 2, wherein the public keys and the private keys are 
stored in indexed tables. 

4. The method of claim 1 , wherein the step of forwarding the packet includes 
the step of discarding packets having an invalid signature. 

5. The method of claim 1 , wherein the packet is signed by a sender using a 
private key of the sender and wherein the validity of the signature is determined by 
checking the signature, by a router, using a public key of the sender. 

6. The method of claim 1 , wherein the data processing system is a firewall. 

7. The method of claim 1 , wherein the packet is signed by a sender using a 
private key of the sender and wherein the validity of the signature is determined by 
checking the signature, by a firewall, using a public key of the sender. 

8. The method of claim 7, further including the steps, perfomned by the 
sender, to sign the packet, of: 

creating a fingerprint corresponding to the data; and 
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encrypting the fingerprint using the sender's private key to yield the 
signature. 



9. The method of claim 8, wherein the step of checking the signature 
5 Includes the steps of: 

decrypting the fingerprint using a public key of the sender; and 
comparing the decrypted fingerprint to a fingerprint of the data. 

10. A method of claim 1 , further comprising: 

10 determining a number of packets received in a predetermined time period 

from the source; 

forwarding the packet in accordance with the validity of the detected 
signature and whether the number of packets received in the predetermined time 
period from the source has exceeded a router limit for the particular source. 

15 

11. The method of claim 1 0 wherein the router limit is associated with a 
number of packets per minute. 

12. The method of claim 10 wherein the router limit Is associated with a 
20 predetermined set of senders. 
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13. An apparatus that filters packets, comprising: 

circuitry configured to receive a packet Including a header; 

circuitry configured to detect the existence of a signature in the header; 

5 and 

circuitry configured to fonward the packet in accordance with the validity of 
the signature. 

14. The apparatus of claim 1 3, further comprising circuitry configured to 
10 disseminate a public/private key pair to, respectively, a filter point and a sender. 

15. The apparatus of claim 14, wherein the public keys and the private keys 
are stored in indexed tables. 

15 16. The apparatus of claim 1 3, wherein the circuitry configured to fonward the 

packet further includes circuitry configured to discard packets having an invalid 
signature. 

17. The apparatus of claim 13, wherein the packet is signed by a sender 
20 using a private key of the sender and wherein the validity of the signature is 

determined by checking the signature, by a router, using a public key of the sender. 

1 8. The apparatus of claim 13, wherein the data processing system is a 
firewall. 

25 

19. The apparatus of claim 13, wherein the packet is signed by a sender 
using a private key of the sender and wherein the validity of the signature is 
determined by checking the signature, by a firewall, using a public key of the sender. 

30 20. The apparatus of claim 19, further including: 

circuitry configured to create a fingerprint corresponding to the data; and 
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circuitry configured to encrypt the fingerprint using the sender's private l<ey 
to yield the signature. 



21 . The apparatus of claim 20, wherein the circuitry configured to check the 
5 signature further includes: 

circuitry configured to decrypt the fingerprint using a public key of the 
sender; and 

circuitry configured to compare the decrypted fingerprint to a fingerprint of 

the data. 

10 

22. A apparatus of claim 13, further including: 

circuitry configured to determine a number of packets received in a 
predetermined time period from the source; 

circuitry configured to detect the existence of a signature in the header; 

15 and 

circuitry configured to forward the packet in accordance with the validity of 
the detected signature and whether the number of packets received in the 
predetermined time period from the source has exceeded a router limit for the 
particular source. 

20 

23. The apparatus of claim 22 wherein the router limit is associated with a 
number of packets per minute. 

24. The apparatus of claim 22 wherein the router limit is associated with a 
25 predetermined set of senders. 

25. An apparatus for filtering packets, comprising: 
means for receiving a packet including a header; 

means for detecting the existence of a signature in the header; and 
30 means for forwarding the packet in accordance with the validity of the 

signature. 
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26. A computer program product, comprising: 

a computer usable medium having computer readable code embodied 
therein for filtering packets in a network that includes one or more systems, the 
computer program product including: 
5 computer readable program code devices configured to cause a computer 

to receive a packet including a hieader; 

computer readable program code devices configured to cause a computer 
to detect the existence of a signature in the header; and 

computer readable program code devices configured to cause a computer 
10 to fonward the packet in accordance with the validity of the signature. 

27. The computer program product of claim 26, further comprising computer 
readable program code devices configured to disseminate a public/private key pair 
to, respectively, a filter point and a sender. 

15 

28. The computer program product of claim 27, wherein the public keys and 
the private keys are stored in indexed tables. 

29. The computer program product of claim 26, wherein the computer 
20 readable program code devices configured to fonvard the packet further include 

computer readable program code devices configured to discard packets having an 
invalid signature. 

30. The computer program product of claim 26, wherein the packet is signed 
25 by a sender using a private key of the sender and wherein the validity of the 

signature is determined by checking the signature, by a router, using a public key of 
the sender. 

31 . The computer program product of claim 26, wherein the data processing 
30 system is a firewall. 



16 



wo 99/55052 PCTAJS99/06206 

32. The computer program product of claim 26, wherein the packet is signed 
by a sender using a private key of the sender and wherein the validity of the 
signature Is determined by checking the signature, by a firewall, using a public key of 
the sender. 

5 

33. The computer program product of claim 32, further comprising: 
computer readable program code devices configured to create a fingerprint 

corresponding to the data; and 

computer readable program code devices configured to encrypt the 
10 fingerprint using the sender's private key to yield the signature. 

34. The computer program product of claim 33, wherein the computer 
readable program code devices configured to check the signature further include: 

computer readable program code devices configured to decrypt the 
15 fingerprint using a public key of the sender; and 

computer readable program code devices configured to compare the 
decrypted fingerprint to a fingerprint of the data. 

35. A computer program product of claim 26, further comprising: 
computer readable program code devices configured to determine a 

number of packets received in a predetemiined time period from the source; 

computer readable program code devices configured to fonvard the 
packet in accordance with the validity of the detected signature and whether the 
number of packets received in the predetermined time period from the source has 
exceeded a router limit for the particular source. 

36. The computer program product of claim 35 wherein the router limit is 
associated with a number of packets per minute. 

30 37. The computer program product of claim 35 wherein the router limit is 

associated with a predetermined set of senders. 

17 
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38. A computer data signal embodied in a earner wave and representing 
sequences of instructions whicli, when executed by a processor, cause said 
processor to filter packets by performing the steps of: 

executing a computer program to receive a packet including a header; 
s executing the computer program to detect the existence of a signature in 

the header; and 

executing the computer program to fonward the packet in accordance with 
the validity of the signature. 

10 39. The method of claim 38, wherein the steps of claim 1 are performed by a 

filter point and further comprising the step of disseminating a public/private key pair 
to, respectively, the filter point and a sender. 

40. The method of claim 39, wherein the public keys and the private keys are 
15 stored in indexed tables. 

41 . The method of claim 38, wherein the step of fonwarding the packet 
includes the step of discarding packets having an invalid signature. 

20 42. The method of claim 38, wherein the packet is signed by a sender using 

a private key of the sender and wherein the validity of the signature is determined by 
checking the signature, by a router, using a public key of the sender. 

43. The method of claim 38, wherein the data processing system is a firewall. 

25 

44. The method of claim 38, wherein the packet is signed by a sender using 
a private key of the sender and wherein the validity of the signature is determined by 
checking the signature, by a firewall, using a public key of the sender. 

30 45. The method of claim 44, further including the steps, performed by the 

sender, to sign the packet, of: 

creating a fingerprint corresponding to the data; and 
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encrypting the fingerprint using the sender's private key to yield the 
signature. 



46. The method of claim 45, wherein the step of checking the signature 
includes the steps of: 

decrypting the fingerprint using a public key of the sender; and 
comparing the decrypted fingerprint to a fingerprint of the data. 

47. A method of claim 38, further comprising: 

determining a number of packets received in a predetermined time period 
from the source; 

detecting the existence of a signature in the header; and 
foHA^ardlng the packet In accordance with the validity of the detected 
signature and whether the number of packets received In the predetermined time 
period from the source has exceeded a router limit for the particular source. 

48. The method of claim 47 wherein the router limit is associated with a 
number of packets per minute. 

49. The method of claim 47 wherein the router limit Is associated with a 
predetennlned set of senders. 
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50. A method for sending packets, performed by a data processor, 
comprising the steps of: 

storing a private l<ey in a memory of the data processor; 
generating a signature using the private i<ey; 
installing the signature into a header of a packet; and 
sending the packet. 

51 . An apparatus that sends packets, comprising: 

circuitry configured to store a private key in a memory of the apparatus; 
circuitry configured to generate a signature using the private key; 
circuitry configured to install the signature Into a header of a packet; and 
circuitry configured to send the packet. 

52. An apparatus for sending packets, comprising: 

means for storing a private key In a memory of the apparatus; 
means for generating a signature using the private key; 
means for Installing the signature into a header of a packet; and 
means for sending the packet. 

53. A computer program product, comprising: 

a computer usable medium having computer readable code embodied 
therein for sending packets in a network that includes one or more systems, the 
computer program product including: 

computer readable program code devices configured to cause a computer 
to store a private key in a memory; 

computer readable program code devices configured to cause a computer 
to generate a signature using the private key; 

computer readable program code devices configured to cause a computer 
to install the signature into a header of a packet; and 

computer readable program code devices configured to cause a computer 
to send the packet. 
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54. A computer data signal embodied in a carrier wave and representing 
sequences of instructions which, when executed by a processor, cause said 
processor to send packets by performing the steps of: 

executing a computer program to store a private key in a memory; 
5 executing the computer program to generate a signature using the private 

key; 

executing the computer program to install the signature into a header of a 
packet; and 

executing the computer program to send the packet. 

10 

55. An apparatus that filters packets, comprising: 

circuitry configured to receive, from a source, a packet including a header; 

circuitry configured to determine a number of packets received in a 
predetermined time period from the source; 
IS circuitry configured to detect the existence of a signature in the header; 

and 

circuitry configured to fonward the packet in accordance with the validity of 
the detected signature and whether the number of packets received In the 
predetermined time period from the source has exceeded a router limit for the 
20 particular source. 

56. An apparatus for filtering packets, comprising: 

means for receiving, from a source, a packet including a header; 
means for detennining a number of packets received in a predetermined 
25 time period from the source; 

means for detecting the existence of a signature in the header; and 
means for fon/varding the packet In accordance with the validity of the 
detected signature and whether the number of packets received in the 
predetermined time period from the source has exceeded a router limit for the 
30 particular source. 

57. A computer program product, comprising: 
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a computer usable medium having computer readable code embodied 
therein for filtering packets in a network that includes one or more systems, the 
computer program product including: 

computer readable program code devices configured to cause a computer 
5 to receive, from a source, a packet Including a header; 

computer readable program code devices configured to cause a computer 
to determine a number of packets received In a predetermined time period from the 
source; 

computer readable program code devices configured to cause a computer 
10 to detect the existence of a signature in the header; and 

computer readable program code devices configured to cause a computer 
to fon/vard the packet in accordance with the validity of the detected signature and 
whether the number of packets received In the predetermined time period from the 
source has exceeded a router limit for the particular source. 

15 

58. A computer data signal embodied in a carrier wave and representing 
sequences of instructions which, when executed by a processor, cause said 
processor to filter packets by performing the steps of: 

executing a computer program to receive, from a source, a packet 
20 Including a header; 

executing the computer program to detemnlne a number of packets 
received In a predetennlned time period from the source; 

executing the computer program to detect the existence of a signature in 
the header; and 

25 executing the computer program to forward the packet in accordance with 

the validity of the detected signature and whether the number of packets received in 
the predetermined time period from the source has exceeded a router limit for the 
particular source. 
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